Fortinet black logo

Cookbook

AWS SDN connector with IAM credentials

Copy Link
Copy Doc ID 9bd2f947-ece6-11ec-bb32-fa163e15d75b:863427
Download PDF

AWS SDN connector with IAM credentials

For instances running in AWS (on demand or BYOL), you can set up the AWS SDN connector using AWS Identify and Access Management (IAM) credentials.

IAM authentication is available only for FGT-AWS and FGT-AWSONDEMAND platforms.

To configure AWS SDN connector using the GUI:
  1. Configure the AWS SDN connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New, and select Amazon Web Services (AWS).
    3. Configure as shown:

  2. Create a dynamic firewall address for the configured AWS SDN connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New, then select Address.
    3. Configure the address as shown, selecting the desired filter in the Filter dropdown list.

      Following is an example for a public SDN address type:

      Following is an example for a private SDN address type:

  3. Ensure that the AWS SDN connector resolves dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to see a list of IP addresses for instances that belong to the security group configured in step 2.

      Following is an example for a public SDN address type:

      Following is an example for a private SDN address type:

To configure AWS SDN connector using CLI commands:
  1. Configure the AWS connector:

    config system sdn-connector

    edit "aws1"

    set status enable

    set type aws

    set use-metadata-iam enable

    set update-interval 60

    next

    end

  2. Create a dynamic firewall address for the configured AWS SDN connector with the supported filter:

    Dynamic firewall address IPs are resolved by the SDN connector.

    config firewall address

    edit "aws-ec2"

    set type dynamic

    set sdn "aws1"

    set filter "SecurityGroupId=sg-05f4749cf84267548"

    set sdn-addr-type public

    next

    edit "aws-eks1"

    set type dynamic

    set sdn "aws1"

    set filter "K8S_Region=us-west-2"

    next

    end

  3. Confirm that the AWS SDN connector resolves dynamic firewall IP addresses using the configured filter:

    config firewall address

    edit "aws-ec2"

    set uuid e756e786-3a2e-51e9-9d40-9492098de42d

    set type dynamic

    set sdn "aws1"

    set filter "SecurityGroupId=sg-05f4749cf84267548"

    set sdn-addr-type public

    config list

    edit "34.222.246.198"

    next

    edit "54.188.139.177"

    next

    edit "54.218.229.229"

    next

    end

    next

    edit "aws-eks1"

    set uuid d84589aa-3a10-51e9-b1ac-08145abce4d6

    set type dynamic

    set sdn "aws1"

    set filter "K8S_Region=us-west-2"

    config list

    edit "192.168.114.197"

    next

    edit "192.168.167.20"

    next

    edit "192.168.180.72"

    next

    edit "192.168.181.186"

    next

    edit "192.168.210.107"

    next

    end

    next

    end

AWS SDN connector with IAM credentials

For instances running in AWS (on demand or BYOL), you can set up the AWS SDN connector using AWS Identify and Access Management (IAM) credentials.

IAM authentication is available only for FGT-AWS and FGT-AWSONDEMAND platforms.

To configure AWS SDN connector using the GUI:
  1. Configure the AWS SDN connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New, and select Amazon Web Services (AWS).
    3. Configure as shown:

  2. Create a dynamic firewall address for the configured AWS SDN connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New, then select Address.
    3. Configure the address as shown, selecting the desired filter in the Filter dropdown list.

      Following is an example for a public SDN address type:

      Following is an example for a private SDN address type:

  3. Ensure that the AWS SDN connector resolves dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to see a list of IP addresses for instances that belong to the security group configured in step 2.

      Following is an example for a public SDN address type:

      Following is an example for a private SDN address type:

To configure AWS SDN connector using CLI commands:
  1. Configure the AWS connector:

    config system sdn-connector

    edit "aws1"

    set status enable

    set type aws

    set use-metadata-iam enable

    set update-interval 60

    next

    end

  2. Create a dynamic firewall address for the configured AWS SDN connector with the supported filter:

    Dynamic firewall address IPs are resolved by the SDN connector.

    config firewall address

    edit "aws-ec2"

    set type dynamic

    set sdn "aws1"

    set filter "SecurityGroupId=sg-05f4749cf84267548"

    set sdn-addr-type public

    next

    edit "aws-eks1"

    set type dynamic

    set sdn "aws1"

    set filter "K8S_Region=us-west-2"

    next

    end

  3. Confirm that the AWS SDN connector resolves dynamic firewall IP addresses using the configured filter:

    config firewall address

    edit "aws-ec2"

    set uuid e756e786-3a2e-51e9-9d40-9492098de42d

    set type dynamic

    set sdn "aws1"

    set filter "SecurityGroupId=sg-05f4749cf84267548"

    set sdn-addr-type public

    config list

    edit "34.222.246.198"

    next

    edit "54.188.139.177"

    next

    edit "54.218.229.229"

    next

    end

    next

    edit "aws-eks1"

    set uuid d84589aa-3a10-51e9-b1ac-08145abce4d6

    set type dynamic

    set sdn "aws1"

    set filter "K8S_Region=us-west-2"

    config list

    edit "192.168.114.197"

    next

    edit "192.168.167.20"

    next

    edit "192.168.180.72"

    next

    edit "192.168.181.186"

    next

    edit "192.168.210.107"

    next

    end

    next

    end